Privacy policy

1. Overview

Axis HQ, Inc. ("Axis", "we", "our", "us") provides AI-powered front-desk automation software to independent healthcare practices, with a particular focus on dental practices. This Privacy Policy ("Policy") describes how we collect, use, share, retain, and protect information in connection with our website (useaxis.app), our services, and our communications.

Please read this Policy carefully. By accessing our website, creating an account, or using our services, you acknowledge that you have read and understood this Policy. If you do not agree with this Policy, please do not use our website or services.

2. Scope of this Policy

Axis processes information in three distinct roles, and different rules apply to each:

• Practice customer data.Information about our customers (dental and other healthcare practices), including personnel of those practices. Axis acts as a "business" or "controller" for this data under applicable U.S. state privacy laws.
• Protected Health Information (PHI).Information about patients of our practice customers that Axis processes on behalf of those practices. Axis acts as a "business associate" under the Health Insurance Portability and Accountability Act (HIPAA). PHI is governed by HIPAA and by the Business Associate Agreement (BAA) between Axis and each practice customer, not primarily by this Policy.
• Website visitor data.Information collected when visitors browse useaxis.app. Axis acts as a "business" or "controller" for this data.

Where PHI is concerned, HIPAA and the BAA take precedence. If there is any conflict between this Policy and the BAA with respect to PHI, the BAA controls.

3. Information we collect

3.1 From practice customers

• Account information: practice name, business address, business phone numbers, practice type, provider roster, staff names and roles, login credentials.
• Billing information: business name, billing address, tax identifiers where required, payment card details (processed through our payment processor, not stored by Axis in unencrypted form).
• Integration data: credentials or tokens required to integrate with your practice management system, phone system, eligibility clearinghouse, and similar systems you authorize.
• Support correspondence: emails, chat messages, call recordings, and documents exchanged with our support or implementation team.
• Usage data: product events, feature usage, log data, error reports, integration health metrics, and similar technical telemetry.

3.2 From your patients (PHI)

In connection with providing services to our practice customers, we receive, store, and transmit Protected Health Information on behalf of the practice. This includes:

• Audio recordings of patient calls.
• Transcripts generated by speech-to-text processing of those calls.
• Structured data extracted from calls and messages, including patient names, dates of birth, phone numbers, addresses, reason for visit, insurance information, scheduling preferences, and clinical triage notes.
• Metadata such as call timestamps, duration, appointment outcomes, and disposition codes.
• SMS and other messages between the practice and patients that pass through our services.

All PHI is governed by HIPAA and our BAA with your practice. Axis uses PHI only for the purposes permitted by the BAA and HIPAA.

3.3 From website visitors

• Information you submit through forms (name, email, practice name, message content).
• Automatically collected technical information: IP address, device and browser type, referring URL, pages viewed, time on page, approximate location (derived from IP).
• Cookie and similar technology identifiers, as described in Section 14.

3.4 From third parties

• Eligibility clearinghouses and payers, in connection with insurance verification for your patients.
• Identity verification and fraud prevention providers, when you create or modify an account.
• Publicly available information and sales data vendors, for prospecting and outreach to prospective customers.

4. How we use information

We use information for the following purposes:

• To provide, maintain, and improve our services, including operating the Ava voice agent, SMS messaging, scheduling, intake, insurance verification, reactivation, and reporting.
• To integrate with your practice management system and other authorized systems.
• To route, answer, and log patient calls and messages.
• To communicate with you about your account, service status, billing, support, security incidents, and material product updates.
• To personalize the service to your practice, including through our practice-specific knowledge graph (which uses your call and interaction history to improve accuracy for your practice only).
• To develop, test, and improve the aggregate functionality and reliability of our services, using de-identified data where feasible.
• To detect, investigate, and prevent fraud, abuse, security incidents, and violations of our Terms of Service.
• To comply with legal obligations, respond to lawful requests from public authorities, and enforce our legal rights.

5. What we will not do with your information

We make the following commitments. These commitments apply to PHI, practice customer data, and website visitor data unless expressly limited.

• We will not use PHI or practice-identifiable data to train, fine-tune, or improve publicly available or third-party language models or artificial intelligence systems.
• We will not sell PHI or practice customer data to third parties. We do not engage in "sales" of personal information as defined under applicable U.S. state privacy laws with respect to PHI or practice customer data.
• We will not share PHI or practice customer data with advertising networks or data brokers.
• We will not market directly to your patients.
• We will not use PHI for our own marketing, product development, or analytics purposes in any form not permitted by the BAA or HIPAA.

6. How we share information

We share information only in the following circumstances:

6.1 Service providers and subprocessors

We share information with service providers who perform functions on our behalf, including voice infrastructure providers, speech-to-text and text-to-speech providers, language model providers, cloud hosting providers, data storage providers, monitoring and security providers, payment processors, and analytics providers. All service providers who receive PHI are bound by written agreements, including BAAs where HIPAA requires them, limiting their use of information to the services they provide to Axis.

A current list of our subprocessors is available on request to sebastian@useaxis.app. We may update the list from time to time and will provide practice customers with reasonable notice of material changes through the admin dashboard or email.

6.2 Legal process

We may disclose information if we believe in good faith that disclosure is required by law, regulation, legal process (such as a subpoena or court order), or a lawful request from a governmental authority. Where legally permitted, we will provide advance notice to the affected customer so they may seek a protective order.

6.3 Protection of rights and safety

We may disclose information where we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Axis, our customers, our customers' patients, or the public; to prevent or address fraud, security issues, or illegal activity; or to enforce our Terms of Service.

6.4 Corporate transactions

If we are involved in a merger, acquisition, financing, asset sale, reorganization, bankruptcy, or similar corporate transaction, information may be transferred as part of that transaction, subject to continuing obligations under our BAA and applicable law. Practice customers will be notified of any such transaction and, to the extent legally required, given the opportunity to delete or export their data before the transaction closes.

6.5 With your authorization

We share information with others when you direct or authorize us to do so (for example, when you elect to integrate Axis with a third-party service you use).

6.6 Aggregated and de-identified data

We may share aggregated or de-identified data that cannot reasonably be used to identify any individual or practice. PHI is de-identified in accordance with HIPAA's Safe Harbor or Expert Determination methods before being used in aggregate.

7. Data retention

We retain information for as long as needed to provide the services and as required by law.

• Call recordings, transcripts, and derived data are retained for the period configured by the practice in the admin dashboard. Default retention is twelve (12) months. Minimum configurable retention is thirty (30) days.
• Practice customer account and billing records are retained for up to seven (7) years after account closure for tax, audit, regulatory, and compliance purposes.
• Support correspondence is retained for up to three (3) years.
• Website visitor analytics are retained for up to twenty-four (24) months.
• Backups may persist for up to ninety (90) days after deletion, after which they are cryptographically destroyed on a rolling basis.

We may retain information longer where required by law, where a legal hold applies, or where reasonably necessary to resolve disputes or enforce agreements.

8. Your rights as a practice customer

As a practice customer, you may:

• Access practice customer data we hold about your practice through the admin dashboard and on written request.
• Correct inaccurate practice customer data.
• Delete practice customer data, subject to our legal, tax, audit, and security retention obligations.
• Export practice customer data in a structured, machine-readable format.
• Restrict or object to certain processing where applicable law provides such rights.
• Revoke prior authorizations for specific processing activities.

To exercise these rights, email sebastian@useaxis.app. We will respond within the timeframes required by applicable law, generally within forty-five (45) days.

9. Your patients' rights

Your patients have rights under HIPAA, including the right of access to, amendment of, and accounting of disclosures of their PHI. Those rights are enforced through the practice, which is the HIPAA covered entity. Axis supports the practice in fulfilling patient rights requests by providing relevant data exports and audit logs as required by the BAA. Patients should direct HIPAA rights requests to their practice, not to Axis.

Because HIPAA governs PHI, most U.S. state privacy laws (including the CCPA/CPRA and the state laws referenced in Section 11) exempt PHI from their individual-rights provisions. Patient rights with respect to PHI are provided by HIPAA.

10. California privacy rights (CCPA/CPRA)

This section applies to California residents whose personal information is processed by Axis in a role other than as a business associate under HIPAA (for example, employees of our practice customers whose business contact information we process, and California residents who visit our website).

10.1 Categories of personal information we collect

In the preceding 12 months, we have collected the following categories of personal information as defined under the CCPA/CPRA:

• Identifiers (name, email, phone, IP address, online identifiers).
• Customer records (account details, billing information).
• Commercial information (services purchased, usage history).
• Internet or other electronic network activity information.
• Geolocation data (approximate, derived from IP).
• Professional or employment-related information (for personnel of our practice customers).
• Inferences drawn from the above to create a profile reflecting preferences and usage characteristics.

We do not knowingly collect sensitive personal information in the course of providing our services outside the context of PHI (which is governed by HIPAA and exempt from CCPA/CPRA).

10.2 Sources of personal information

We collect personal information directly from you (when you register, submit forms, or communicate with us), automatically from your use of our website and services, and from third parties as described in Section 3.4.

10.3 Purposes for collection and processing

We process personal information for the purposes described in Section 4.

10.4 Categories of recipients

We disclose the categories of personal information described in Section 10.1 to the categories of recipients described in Section 6. We have not sold or shared (as those terms are defined under the CCPA/CPRA) personal information in the preceding 12 months, and we do not knowingly sell or share personal information of consumers under 16.

10.5 California resident rights

If you are a California resident, you have the right to:

• Know what personal information we have collected, used, disclosed, and (if applicable) sold or shared.
• Delete personal information we have collected from you.
• Correct inaccurate personal information.
• Opt out of the sale or sharing of your personal information. Because we do not sell or share personal information, no action is required to opt out.
• Limit the use and disclosure of sensitive personal information.
• Non-discrimination for exercising your rights.

To exercise any California right, email sebastian@useaxis.app with "California Privacy Request" in the subject line. We will verify your identity before fulfilling a request. You may designate an authorized agent to make a request on your behalf; proof of authorization is required.

10.6 Shine the Light

California Civil Code Section 1798.83 permits California residents who have an established business relationship with us to request information about our disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

11. Other U.S. state privacy rights

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Delaware, New Hampshire, New Jersey, Minnesota, Tennessee, and other U.S. states with comprehensive privacy laws may have rights similar to those described in Section 10, including the right to access, correct, delete, obtain a portable copy of, and opt out of certain processing (such as targeted advertising, sale, or profiling with significant effects) of their personal information. We do not engage in targeted advertising, sale, or profiling with legal or similarly significant effects based on personal information we collect through our services.

To exercise rights under these state laws, contact sebastian@useaxis.app. We will verify your identity and respond within the timeframes required by the applicable state law.

12. Security

We maintain administrative, technical, and physical safeguards designed to protect information we process. These include:

• Encryption of data at rest using AES-256.
• Encryption of data in transit using TLS 1.3 or higher.
• Role-based access controls with multi-factor authentication for Axis personnel.
• Centralized identity management, audit logging, and continuous security monitoring.
• Third-party security assessments and penetration testing.
• Employee confidentiality obligations and security training.
• Vendor risk management and due diligence.

No system is completely secure. Notwithstanding the measures we take, we cannot guarantee that unauthorized third parties will never be able to defeat our security or improperly access, use, or disclose information. You are responsible for maintaining the security of your own credentials and devices used to access our services.

Additional detail about our security practices is available on our security page.

13. Breach notification

If we become aware of a breach of unsecured PHI, we will notify the affected practice customer in accordance with HIPAA and the BAA, generally within forty-eight (48) hours of discovery, and will cooperate with the practice in fulfilling its breach notification obligations to patients and regulators. For security incidents affecting non-PHI practice customer or visitor data, we will notify affected persons in accordance with applicable state and federal breach notification laws.

14. Cookies and tracking technologies

We and our service providers use cookies, web beacons, pixels, and similar technologies on our website. We use them for the following purposes:

• Strictly necessary: to operate the website and authenticate sessions.
• Performance and analytics: to understand aggregate usage and improve the website.
• Functional: to remember your preferences.

We do not use cookies for cross-site advertising. Most browsers allow you to control cookies through browser settings. Disabling cookies may limit your ability to use certain features.

15. Do Not Track

Our website does not respond to "Do Not Track" signals. We do not track users across third-party sites for advertising purposes.

16. AI-specific disclosures

Axis uses artificial intelligence to operate the Ava voice agent and related automated systems. When Ava places or receives a call on behalf of a practice customer, Ava may identify itself as an AI or virtual coordinator consistent with the practice's configuration and applicable law (including California Business and Professions Code Section 17941 and similar laws). Practice customers are responsible for ensuring their configuration complies with applicable AI-disclosure laws in the jurisdictions they serve.

Axis's AI systems use patient-specific context only to perform the requested task (scheduling, intake, triage routing, and related administrative functions) and do not make clinical diagnoses or treatment decisions. AI-generated outputs are probabilistic and may contain errors; practice customers are responsible for reviewing AI-generated content and implementing appropriate escalation procedures.

17. International users

Our services are offered to practices located in the United States. We do not market to, or knowingly service, practices or individuals located outside the United States. If you access our website or services from outside the United States, your information may be transferred to, stored in, and processed in the United States. By using our website or services from outside the United States, you consent to the transfer and processing of your information in the United States.

We do not offer services subject to the European Union General Data Protection Regulation (GDPR), the UK GDPR, or similar non-U.S. data protection laws.

18. Children's privacy

Our website and services are not directed to children under 13, and we do not knowingly collect personal information from children under 13 through our website or from visitors. If your practice serves pediatric patients, PHI about those pediatric patients is handled under HIPAA through our BAA with your practice.

If you believe a child under 13 has provided personal information to us through our website, please contact us and we will delete the information in accordance with the Children's Online Privacy Protection Act (COPPA).

19. Third-party links and services

Our website and services may contain links to, or integrations with, third-party websites and services. This Policy does not apply to those third parties. We are not responsible for the privacy practices or content of third parties. We encourage you to review the privacy policies of any third-party service you access.

20. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will notify practice customers by email at least thirty (30) days before the changes take effect and will update the "Last updated" date at the top of this Policy. Your continued use of our services after the effective date of the updated Policy constitutes your acceptance of the updated Policy. If you do not agree to the updated Policy, you must stop using the services.

21. Governing law

This Policy is governed by the laws of the State of Delaware, United States, without regard to its conflict of laws principles, except that California and other state-specific rights are interpreted under the laws of the applicable state.

22. Relationship to other agreements

This Policy is incorporated into our Terms of Service. Where we have signed a BAA, Master Services Agreement (MSA), or other written agreement with a customer, the terms of that agreement control over this Policy with respect to the subject matter of that agreement. For PHI, the BAA controls.

23. Contact

If you have questions, concerns, or requests relating to this Policy or our handling of information, please contact us:

• Privacy questions, data subject requests, and security reports — sebastian@useaxis.app
• General inquiries — sales@useaxis.app

Axis HQ, Inc.
2261 Market Street STE 62976
San Francisco, CA 94114
United States